Problem with replicating AD and DNS
in [Active Directory]
|
Prev: Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
Next: "MS DTC could not correctly process a DC Promotion/Demotion event.
From: Eon Blue on 13 Oct 2005 16:22 I recently installed a 2003 server to take over AD and DNS duties from a 2000 server that is being decomissioned. They've been running side by side with no problems for awhile. However I noticed yesterday that AD changes are not being replicated which sent me on this wild goose chase to track down the problem. Here's what I've found out so far: The 2003 server is pulling changes to the AD from the 2000 server, but the 2000 server is not pulling changes from the 2003 server. When I go to AD Sites and NTDS and choose Replicate Now it doesn't work. If I do it on the 2003 side I get "The RPC server could not be found". If I do it on the 2000 side I get "The naming context is in the process of being removed....". The 2003 server is not creating the SRV records in DNS. It's pointing to itself for dns resolution. When I try to run netdiag or dcdiag to check DNS it says it can't find an authoritative server. It says this on both the 2000 and 2003 servers. I can use nslookup to resolve the server name to the correct ip successfully from both machines. The most troubling error I get in the event log on the 2003 server is in DNS id 4015 "DNS server encountered a critical error from AD. Extended error is UNABLE_TO_PROCEED". I sucessfully transfered Operations Master and PDC roles from the 2000 server to the 2003 server. Now when I check the operations master on the 2000 server it has ERROR for the server name. On the 2003 server it looks fine. I'm lost on this one. Any help would be greatly appreciated.
From: Brandon McGarvey on 13 Oct 2005 17:00 Was the domain already 2003 or is this the first 2003 domain controller? There are many pre-installation steps and checks you must follow before upgrading Active Directory to 2003. Did you perform all of these steps? There is a good guide available from Microsoft for upgrading your domain to 2003. Also, I assume you have not changed the forest/domain levels. You should be running in 2000 mixed. If the 2003 DC has not registered kerberos/ldap records in DNS, you will definetly have a problem with everything else, like replication. You need to figure out what is wrong with DNS. "Eon Blue" wrote: > I recently installed a 2003 server to take over AD and DNS duties from > a 2000 server that is being decomissioned. They've been running side by > side with no problems for awhile. However I noticed yesterday that AD > changes are not being replicated which sent me on this wild goose chase > to track down the problem. Here's what I've found out so far: > > The 2003 server is pulling changes to the AD from the 2000 server, but > the 2000 server is not pulling changes from the 2003 server. When I go > to AD Sites and NTDS and choose Replicate Now it doesn't work. If I do > it on the 2003 side I get "The RPC server could not be found". If I do > it on the 2000 side I get "The naming context is in the process of > being removed....". > > The 2003 server is not creating the SRV records in DNS. It's pointing > to itself for dns resolution. When I try to run netdiag or dcdiag to > check DNS it says it can't find an authoritative server. It says this > on both the 2000 and 2003 servers. I can use nslookup to resolve the > server name to the correct ip successfully from both machines. > > The most troubling error I get in the event log on the 2003 server is > in DNS id 4015 "DNS server encountered a critical error from AD. > Extended error is UNABLE_TO_PROCEED". > > I sucessfully transfered Operations Master and PDC roles from the 2000 > server to the 2003 server. Now when I check the operations master on > the 2000 server it has ERROR for the server name. On the 2003 server it > looks fine. > > > I'm lost on this one. Any help would be greatly appreciated. > >
From: Eon Blue on 14 Oct 2005 09:01 Thanks for the reply. This is the first 2003 domain controller. The domain level right now is 2000 native. I did go through the pre-installation steps, ran the domainprep and forestprep. Everything seemed to be working fine. I have been making changes to the AD solely on the 2000 server, so it was replicating to the 2003 server without any problems. I didn't notice it until I started adding accounts on the 2003 server and they weren't copying over to the 2000 server. I don't know what's going on with DNS. I can query DNS on the 2003 server just fine, but I get the authoritative error when running netdiag. When I check the netlogon.dns file all the entries are there for kerberos/ldap but they are not registering on the dns server. I do have dynamic updates on for all the DNS zones.
From: Brandon McGarvey on 14 Oct 2005 09:36 Well, to try narrow down where the root of the problem is, you can try adding the kerberos and ldap records for the 2003 DC manually in DNS and see if replication works. Just add the _kerberos, _ldap, and _kpasswd TCP SRV records in the _tcp container and add the _kerberos and _kpasswd UDP records in the _udp container. You may also need to add these records into the _msdcs container as well. I don't think you will need to worry about adding the records to any _sites containers for now. Of course, you will want all the proper records registered eventually so that your client computers locate the services properly. Again, I suggest this just as a test to help narrow down your issue. The domain controller should add these records itself when Net Logon starts (or if you restart it), but since they aren't, maunally adding records in DNS will tell us if replication will work if DNS is fixed.. "Eon Blue" wrote: > Thanks for the reply. This is the first 2003 domain controller. The > domain level right now is 2000 native. I did go through the > pre-installation steps, ran the domainprep and forestprep. Everything > seemed to be working fine. I have been making changes to the AD solely > on the 2000 server, so it was replicating to the 2003 server without > any problems. I didn't notice it until I started adding accounts on the > 2003 server and they weren't copying over to the 2000 server. > > I don't know what's going on with DNS. I can query DNS on the 2003 > server just fine, but I get the authoritative error when running > netdiag. When I check the netlogon.dns file all the entries are there > for kerberos/ldap but they are not registering on the dns server. I do > have dynamic updates on for all the DNS zones. > >
From: Paul Bergson on 14 Oct 2005 09:49
check to see if the netlogon share is shared, \\server name\NETLOGON -or- check to see if the Netlogon services is running. If this isn't working, replication can't be working. Your dc isn't operational. -- Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA This posting is provided "AS IS" with no warranties, and confers no rights. "Eon Blue" <eonblue77(a)gmail.com> wrote in message news:1129292098.355839.308370(a)g47g2000cwa.googlegroups.com... > Thanks for the reply. This is the first 2003 domain controller. The > domain level right now is 2000 native. I did go through the > pre-installation steps, ran the domainprep and forestprep. Everything > seemed to be working fine. I have been making changes to the AD solely > on the 2000 server, so it was replicating to the 2003 server without > any problems. I didn't notice it until I started adding accounts on the > 2003 server and they weren't copying over to the 2000 server. > > I don't know what's going on with DNS. I can query DNS on the 2003 > server just fine, but I get the authoritative error when running > netdiag. When I check the netlogon.dns file all the entries are there > for kerberos/ldap but they are not registering on the dns server. I do > have dynamic updates on for all the DNS zones. > |